March 16, 2008

First Law of Password Hygiene

Since moving to a team that handles the user accounts for everyone who uses any of Microsoft's web property, I've started to take a much more informed look at how I use my own account credentials and which web sites and applications I hand over those credentials to.

Angus Logan posted a great summary of the way Microsoft and Windows Live handles credential capture, which is worth a detailed read by everyone

No Microsoft web site will ask you for your Live ID credentials except login.live.com (and accounts.live.com when linking accounts).
Any other web site which asks you for your credentials may not be evil.com but they could be sloppy coders or they could be hacked -- putting your credentials at risk of being stolen.

login.live.com

This equates to the First Law of Password Hygiene:

Only hand over your account credentials to your Identity Provider (for example, Windows Live ID),

Entry categories: Live ID
Posted by Jorgen Thelin at March 16, 2008 03:49 PM - [PermaLink]
 
Traceback List
Comments
This is exactly why integrated security is a bad idea for the Internet. How is a user supposed to decide whether a password dialog is secure or not? It is not obvious whether the dialog posts data to the third party website- which could be used maliciously to retrieve data from other websites that use the same integrated security provider- or posted directly to the identity provider. For this reason most people, I believe, prefer to use separate accounts for separate websites. By using different passwords the user can be confident that data cannot be shared between websites. Or the user may decide to use a generic password when information security is not a concern (no financial information). The trade off between ease of use and security is tipped in favor of separate passwords when financial information is involved. Posted by: Erik on March 19, 2008 07:01 AM